From 372eb706437db9ecc72f7fed9237ca2db21c4cb0 Mon Sep 17 00:00:00 2001
From: "Marco A. Nina Mena" <marco.antonio.nina@processmaker.com>
Date: Sun, 6 Aug 2017 20:19:26 -0400
Subject: [PATCH] HOR-3548 Users can log in with just a password hash without
 knowing the clear text password

- Check if the password contains password hashes.
---
 workflow/engine/methods/login/authentication.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/workflow/engine/methods/login/authentication.php b/workflow/engine/methods/login/authentication.php
index ed7e32196..7152e29db 100644
--- a/workflow/engine/methods/login/authentication.php
+++ b/workflow/engine/methods/login/authentication.php
@@ -41,6 +41,18 @@ try {
             die();
         }
 
+        //Check if the password contains the password hashes
+        if (!empty($_POST['form']['USR_PASSWORD']) && strlen($_POST['form']['USR_PASSWORD']) > 32) {
+            $pass = trim($_POST['form']['USR_PASSWORD']);
+            foreach (Bootstrap::getPasswordHashConfig() as $key => $hash) {
+                $search = substr($pass, 0, strlen($hash) + 1);
+                if ($search == $hash . ':') {
+                    $pass = substr($pass, strlen($hash) + 1);
+                }
+            }
+            $_POST['form']['USR_PASSWORD'] = $pass;
+        }
+
         $frm = $_POST['form'];
 
         if (isset($frm['USR_USERNAME'])) {